Showing results for 
Search instead for 
Did you mean: 

Cisco ASA Anyconnect and MS CA server


I understand this might not be directly related to Cisco but I'm having a hard time finding info and trying to get it work.

Pretty much I'm trying to move away from using the inbuilt CA on the ASA for authenticating users with certs. I've managed to get the firewall to use SCEP and OCSP so it can autoenroll users when they first login and OCSP to check if their cert has been revoked. My main problem now is that a new cert is enrolled every time the user logs into a new device, so each user has a new cert on every device the login with. I want to restrict this so a single cert is only issued out to a single device for each user (so if they login with a new device autoenroll won't work and they can't get a cert) and when that cert is revoked (e.g. user got a new laptop) they can login with Anyconncet and they will autoenroll with a new cert.

I'm finding it hard trying to find anything on the MS CA that can do this, so what I'm asking is if the ASA can play any part of doing this, or is there a function on the MS CA that I'm missing that can do this.

Really appreciate any response as I'm stuck.

3 Replies 3

Hi @BVC 

Create another tunnel-group/connection that doesn't use SCEP enrollment. So for the first connection the user connects to a cert enroll connection profile/tunnel-group, receives a certificate and a new XML profile. From then on they connect to the 2nd connection profile/tunnel-group and uses the certificate to authenticate.

Hi Rob,

Thank you for the reply. I think I understand what you mean, but will that help with my problem? As users could just get onto another device, choose the tunnel group that enrolls them with the cert and get the cert that way. Then they just login with the other tunnel group with the cert that has been distributed to other devices the user has logged in with. 

@BVC when connected to the certenroll connection profile, apply an interface ACL or VPN Filter or DACL to restrict access only to the CA to allow them to enroll for a certificate. They must connect to the other connection profile that gives them full access, obviously this will require some user instructions/training.


Ideally if possible you'd pre-deploy the certificates, if you have AD you can use a GPO to do this when they are connected to the network. You'd not need a cert enroll connection profile then.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: